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CROSS REFERENCE TO RELATED APPLICATIONS p£g 2 0 2007 

This application takes priority under 35 U.S.C. §1 19(e) of U.S. Patent Application 
No 60/481,313 filed August 29, 2003 (Attorney Docket No.: TRNDP009P) naming 
Liang et al. as invemor(s) entitled "VIRUS MONITOR AND METHODS OF USF. 
THEREOF" which is also incorporated herein by reference for all purposes. This 
application is also related to the following co-pending U.S. Patent applications, 
which are filed concurrently with this application and each of which are herein 
incorporated by reference, (i) U.S. Patcnr Application No. 10/684,330 (Attorney 
Docket No.: TRNDP009), entitled "VIRUS MONITOR AND METHODS OF USE 
THEREOF" naming Liang et al as inventors; (ii) U.S. Patent Application No. 
10/683,528 (Attorney Docket No.: TRNDP010), entitled "AUTOMATIC 
REGISTRATION OF A VIRUS/WORM MONITOR IN A DISTRIBUTED 
NETWORK" naming Liang et al as inventors; (iii) U.S. Patent Application No. 
10/683,873, (Attorney Docket No.: TRNDPOl 1), entitled "NETWORK TRAFFIC 
MANAGEMENT BY A VIRUS/WORM MONITOR IN A DISTRIBUTED 
NETWORK", naming Liang et al as inventors; and (iv) U.S. Patent Application No. 
10/683.874 (Attorney Docket No.: TRNDPOl 2), entitled "ANTI-VIRUS 
SECURITY POLICY ENFORCEMENT', naming Liang et al as inventors; (v) U.S. 
Patent Application No. 10/683.584 (Attorney Docket No.: TRNDPOl 5), entitled 
"ANTI-COMPUTER VIRAL AGENT SUITABLE FOR INNOCULATION OF 
COMPUTING DEVICES", naming Liang et al as inventors; and (vi) U.S. Patent 
Application No. 10/683.554 (Attorney Docket No.: TRNDP013), entitled 
"INNOCULATION OF COMPUTING DEVICES AGAINST A SELECTED 
COMPUTER VIRUS", naming Liang et al as inventors. 
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Please replace paragraph [0025] with the following amended paragraph: 

[0025] In addition to providing scalability, ihe tiered architecture of network 

100 provides for topologically advantageous positioning of the network virus 
monitor 102. For example, in the instant case, virus monitor 102 is. placed between 
the tier 2 switch 4-35- 120 and the lower level tier 3 switch 4-34 122 to which the 
various client devices 104 - 1 16 are coupled, in this way, all network traffic 
between the tier 2 switch (which may be coupled directly to the Internet backbone, 
for example) and any of the tier 3 switches can be monitored by the virus monitors 
102 at a point prior to any of the client devices. By providing a bulwark against a 
potential virus attack, the virus monitors 102 provide a focal point for virus 
detection, virus outbreak prevention, and, if needed, virus outbreak cleanup and 
restoration that, in turn, effectively protect the various client devices from the 
attacking virus. It should be noted, that a docking port 125 can be included in 
network 100 arranged to accept temporary, or visitor s .client devices. 

Please replace paragraph [0041] with the following amended paragraph: 

[0041] In the case where virus monitor 102 has delected a possible virus in 

one or more of the data packets (or in the case where a potential intruder attack is 
underway), virus monitor 102 generates an event flag. This event flag provides 
information based upon the detected virus using both the rules set 136 and the OPP 
file 135 as well as any other data deemed useful. Typically, the event flag is 
passed directly to the controller 126 which may, in some cases, forward ihc event 
flag to the server 138 for further analysis and/or disposition of any remedial 
actions, if any. This collaborative nature of the inventive virus monitoring system 
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is well documented and described in co-pending U.S. Patem Application No. 
10/41K665 , Attorney Docket No: 87152491-002027 entitled, "MULTILEVEL 
VIRUS OUTBREAK ALERT BASED ON COLLABORATIVE BEHAVIOR" by 
Liang et al filed on April 10. 2003 which is incorporated by reference herein in iis 
entirety for all purposes. 

Please replace paragraph 10042] with the following amended paragraph: 

[0042] In some cases, the event flag represents a potential Threat so severe 

that the operation mode of virus monitor 102 is immediately changed from the 
standby mode to what is referred 10 as the inline mode without intervention from 
the controller 126 as shown in FIG. 5. In the inline mode, all data packets in the 
traffic flow Tl are analyzed without copying such that those data packets 
determined to be (or suspected of being) infected are not allowed to pass back into 
the traffic How (in this case Tl is greater than T2), In this the virus is blocked 
from passing to and throughout network 100. In other instances where the event 
itself docs not trigger virus monitor 102 to change operations mode to the inline 
mode, a mode change command #£6 502 from <**fhe^ the controller 1 26 or mode 
change command 504 from the server 128 is used to trigger the mode change. In 
this way, the inventive ami-virus system has the added advantage of delegating 
authority to the virus monitors in those situations where speed is of the essence to 
contain a potential viral outbreak. On the other hand, in those cases where the 
threat is less clear, or further analysis is required, the onus of determining the 
threat potential and execution of a defense plan can be focused in higher level 
analysis engines (such as a system administrator, for example) thereby reducing 
false alarms and unnecessary system shutdowns, 
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Please replace paragraph [0054] with the following amended paragraph: 

[00541 Accordingly, FIG. 8 illustrates a virus monitor 800 as one possible 

implementation of virus monitor 102. Accordingly, the virus monitor 800 includes 
a traffic controller 802 coupled to network 100 by way of a network interface 804 
that includes an intruder detection system (IDS) module 806 for evaluation of 
potential intruder attacks described in co-pending U.S. Patent Application No. 
10/411,665, Attorney Docket No. 834^34^4-0030^?- TRNDP044 entitled, 
"MULTILEVEL VIRUS OUTBREAK ALERT BASED ON COLLABORATIVE 
BEHAVIOR" by Liang et al filed April 10. 2003 which is incorporated by 
reference herein in its entirety for all purposes. Such intruder based attacks 
include a Denial of Service (DoS) attack whereby a large number of requests are 
made to a particular server computer within a small period of time resulting in the 
attacked server computer being unable to provide access to other, legitimate, 
requestors. The IDS module 806 determines an associated alert level based on the 
volume of the data traffic flow at the virus monitor 800 in a unit time interval 
which is designated as being abnormal if the volume of the data traffic flow is 
larger than a predetermined value in a predetermined time period. 



5 



PAGE 7/14 * RCVD AT 212012007 7:56:06 PM [Eastern Standard Time] ' SVR:USPTO-EFXRF-5/0 * ONIS:2738300 * CSID:612 825 6304 * DURATION (mm-ss):0244 



